365 Days Since Sangfor Launched Cyber Incident Response ...

www.sangfor.com Sangfor Technologies Inc.

365 Days Since Sangfor Launched Cyber Incident Response ServiceJEFFREY LEE | CYBER SECURITY CONSULTANTCREST Registered Tester (CRT),

Offensive Security Certified Professional (OSCP),

CompTIA Pentest+ (Pentest+),

Certified Ethical Hacker (CEH)

PART1

PART2

PART3

PART4

Sangfor Technologies CONFIDENTIAL Page 1

Agenda

Cyber Incident Response Statistics

Case StudiesHow Easy is it to Find &

Attack Victims

Summary & Key Takeaways


Why Did Sangfor Launch CIR Service?

• Increased Demand

• Increase Market Security Awareness

• Reduce Number of Attacks

• Sangfor à Trusted Security Advisor


Cyber Incident Response Statistics

Malware

80%

Web Defacement

11%

Phishing Email

6%

Others

3%

Malware Web Defacement Phishing Email Others

Types # of Cases

Malware 68

Web Defacement 9

Phishing Email 5

Others 3

Data From Nov 2019 – Oct 2020

Cyber Incident Response statistics


Details on Malware Case

Malware

Ransomware

Cryptominer

Botnet

# of cases: 51 (75%)

# of cases: 7 (10%)

# of cases: 10 (15%)

# of cases: 68



Details on Malware Case – Ransomware

Ransomware

Lack of Gateway Protection Mechanisms # of cases: 8 (16%)

# of cases: 14 (27%)Lack of Endpoint Protection Mechanisms

# of cases: 51



Details on Malware Case

Ransomware

High Risk Ports Exposed

Malicious Download

Others

# of cases: 42 (82%)

# of cases: 6 (12%)

# of cases: 3 (6%)

# of cases: 51



PART 2 How Easy is it to Find & Attack Victims


It’s Easy To Find Victims!

How

What

WhenWhere


It’s Easy To Find Victims – Transmission Method

Malicious code embedded in attachment (E.g.: Locky, Petya Variant)

Personal PC

Worms

Exploit Kit

Brute Force

Phishing Email

Brute force RDP/SSH/SMB/DB services (E.g.: .java, Globelmposter variant)

Servers with Remote Access

Vulnerability & Command Exploitation (E.g.: WannaCry, Petya Variant)Vulnerable Server

Backlink, iframe & drive-by download (E.g.: Cerber)Vulnerable Workstation

Malware Transmission Method


It’s Easy To Find Victims – Locate Random Victim

Hacker Search Engine

Shodan



Hackers’ Search Engine

Google



Hackers’ Tools

IP Scanning Tools


It’s Easy To Find Victims – Exposed RDP Service


It’s Easy To Find Victims – Exposed RDP Service


It’s Easy To Find Victims – Exposed SMB Service


It’s Easy To Find Victims – Exposed SMB Service


It’s Easy To Find Victims – Google Dorks

Google Hacking Database (GHDB)

- Google Dorks

- E.g.:

• Inurl:”/index.php”

• Intitle:”login page”

• filetype:”.pdf”

• etc…


Attacking These Victims


Attacking Victims – RDP Service


Attacking Victims – RDP Service


Attacking Victims – SMB Service


Attacking Victims – SMB Service


Attacking Victims – Example


Ask yourself....

How Easy is it to Find a Random Victim?

&

How Easy is it to Launch an Attack?


PART 3 Case Studies


Case Studies

Brute Force Attack

• External Attack

• Firewall Not Well Configured

• Antivirus Software Installed

Vulnerability

• Internal Attack

• Firewall Well Configured

• Antivirus Software Installed

Company-X Background Company-Y Background


Case Study 1 – Company-X

Company-X Background

Industry: Tech Hardware & Semiconductors

Company Size: +10,000

Revenue: +130M USD per year

Malware Family: GlobeImposter2.0

Existing Products: P-Firewall + K-Antivirus Software


Case Study 1 – Company-XEvent Verification And Validation


Case Study 1 – Company-XLocating Malicious Files


Case Study 1 – Company-XLocate Patient Zero


Case Study 1 – Company-XInternal East-West Brute Force Attack


Case Study 1 – Company-XBrute Force Attack From Internet


Case Study 1 – Company-XAttack Source Determination


Case Study 1 – Company-XAttack Source Determination


Case Study 1 – Company-X Summary

SSLVPN

Exposed High Risk Ports

Lack of Security Awareness

Weak Password In Use

Incompetent Antivirus software

Insufficient Detection Mechanism

Improper Firewall Configuration

TIARA Service+

IR Service+

Consultation Service+

Sangfor Products

No High Risk Ports Ransomware


Case Study 2

Company-Y Background

Industry: Telecommunications Equipment

Company Size: +40,000

Revenue: +245M per year

Malware Family: Sodinokibi

Existing Products: P-Firewall + S-Antivirus Software


Case Study 2 – Company-YEvent Verification And Validation


Case Study 2 – Company-YLocate Malicious Files


Case Study 2 – Company-YLocate Malicious Files


Case Study 2 – Company-YEmail From S-antivirus Software Vendor


Case Study 2 – Company-YEvent Log Analysis

Machine A


Case Study 2 – Company-YEvent Log Analysis

Machine B


Case Study 2 – Company-YPatient Zero Determination

Machine C



Machine D



Machine FMachine E



Machine G Machine H


Case Study 2 – Company-Y Summary

SSLVPN

Improper Daily Practice

Lack of Security Awareness

Weak Password In Use

Incompetent Antivirus software

Insufficient Detection Mechanism

No Regular Security Patching

TIARA Service+

IR Service+

Consultation Service+

Vulnerability Assessment+

Sangfor Products

No High Risk Ports Ransomware


PART 4 Summary & Key Takeaways


Even with an Umbrella, No One is Dry Walking in the Rain


Preparation is KEY

AFTER ATTACK

DURING ATTACK

BEFORE ATTACK

-Are we prepare enough? -


What Should We Do?

Always Review Your Security Posture

External Attack Surfaces Defense-in-Depth Security Controls

external internal

EASY: External Attack Surface Identification

VAPT: Vulnerability Assessment & Penetration Testing TIARA: Threat Identification, Analysis and Risk Assessment

Interview Consultation Service

EASY VAPT TIARA


Key Takeaways

Always review and

assess security controls

regularly

Can’t afford to suffer the

consequences of

unpreparedness

Prevention is better than Reaction

Failing businesses wait for mistakes and react. Successful businesses avoid mistakes proactively.

Defense


Next Weekly Security Webinar

Network Detection & Response: The Key ToolAvoiding Security Breaches

Network Detection & Response: The key tool avoiding securitybreaches

Prevention does not stop attacks!!! According to AV-TEST,there are over 350,000 new variants of malware detectedevery day. Even if your security system is able to block 99%,hundreds of new malware are stilll able to bypass yoursecurity controls.

Therefore, your security team should detect and investigatequickly for anything they are not able to prevent and finally,remove the security event before it becomes a breach.

Network Detection and Response is the perfect tool to helpyou detect faster, and respond smarter to the threats in yournetwork. Join Sangfor experts on December 8th at [TIME] todiscuss the ins and outs of NDR, it's capabilities and why it's soimportant to an enterprise.

8th December 2020 16:00 (GMT +8)

THANK YOU !

www.sangfor.com Sangfor Technologies Inc.

JEFFREY LEE | CYBER SECURITY CONSULTANTCREST Registered Tester (CRT),

Offensive Security Certified Professional (OSCP),

CompTIA Pentest+ (Pentest+),

Certified Ethical Hacker (CEH)

Date post:	05-Apr-2022
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

365 Days Since Sangfor Launched Cyber Incident Response ...

Documents